CVE-2025-13610 is a medium-severity stored Cross-Site Scripting vulnerability identified in the RegistrationMagic WordPress plugin, which facilitates custom registration forms, user registration, payment processing, and user login functionalities. The vulnerability stems from improper neutralization of input (CWE-79) specifically in the 'theme' attribute processed by the 'RM_Forms' shortcode. The plugin fails to adequately sanitize and escape user-supplied input before rendering it in web pages, allowing authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the browsers of any users who access the affected pages, potentially enabling session hijacking, privilege escalation, or defacement. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impact. The vulnerability affects all versions up to 6.0.6.7, with no patches currently linked or publicly available. Although no active exploits have been reported, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin's role in user authentication and payment processing workflows.

The primary impact of CVE-2025-13610 is the potential compromise of user confidentiality and integrity within affected WordPress sites. Attackers with contributor-level access can inject persistent malicious scripts that execute in the context of other users, including administrators, leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. This can result in unauthorized access to sensitive user data, manipulation of registration or payment processes, and potential defacement or reputational damage. While availability is not directly impacted, the indirect consequences of compromised user trust and possible regulatory penalties for data breaches can be severe. Organizations relying on this plugin for critical user management or payment functions are at heightened risk, especially if they have multiple contributors or allow external users to register with elevated privileges.

To mitigate CVE-2025-13610, organizations should immediately upgrade to a patched version of the RegistrationMagic plugin once available. In the absence of an official patch, administrators should restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious input injection. Implementing Web Application Firewall (WAF) rules that detect and block suspicious script payloads in the 'theme' attribute or shortcode parameters can provide interim protection. Additionally, site owners should audit existing content for injected scripts and sanitize stored data manually if feasible. Employing Content Security Policy (CSP) headers to restrict inline script execution and external script sources can reduce the impact of successful XSS attacks. Regular security reviews of user roles and permissions, combined with monitoring for unusual user activity, will further reduce exploitation likelihood.